Scope of the Information Systems Security (ISS)
The Information Systems Security (ISS) of Potions encompasses all the company’s information systems, reflecting the diversity of their uses, locations, access methods, and the people involved.
Security Requirements
The security of the Information System relies on the following criteria:
- Confidentiality: “Confidentiality is the property that information is not made available or disclosed to unauthorised individuals, entities, or processes” (ISO 7498-2, ISO90).
- Availability: Ensuring data and functions are accessible at the required time by authorised users.
- Integrity: “Integrity is the prevention of unauthorised modification of information” (ISO 7498-2, ISO90).
These security requirements apply to both the resources of the information system (computers, networks, applications) and the data they process. Data must be inventoried and classified (e.g., defence, scientific, administrative, personal, strategic) to determine their sensitivity level and the necessary protection measures.
Threats
To implement appropriate security measures, the EBIOS method (Expression of Needs and Identification of Security Objectives – DCSSI) recommends understanding threat types and their impacts. Threats can be categorised as follows:
- Direct attacks on the information system: Data theft, data modification, denial of service, etc.
- Attacks on IT resources: Resource theft, misuse, data alteration, malware distribution, etc.
- Accidents: Natural disasters, accidental data or resource alteration.
For each threat, risks must be assessed by considering the likelihood of occurrence and identifying potential aggravating factors (e.g., negligence, lack of information or procedures).
Implementation of the ISSP
The ISSP (Information Systems Security Policy) of Potions outlines a set of organisational and technical principles. These principles are detailed further in technical guidelines or instructions, whose development, dissemination, and communication are managed by the ISS functional chain.
Organisation
Access to IT Resources
The provision of IT resources to a user must be formalised upon their arrival, change in role, and departure. Access to resources must be controlled (identification, authentication) and adapted to the user’s authorised rights (roles, privileges, and profiles).
IT Usage Charter
Before accessing IT tools, users must be informed of their rights and responsibilities through the "Good IT Usage Charter," integrated into Potions’ internal regulations.
Data Protection
-
Availability, Confidentiality, and Integrity of Data
Data processing and storage, application and service access, and data exchanges between information systems must be conducted to prevent data loss, alteration, misuse, or unauthorised disclosure. Regular backups, with validated restoration processes, must be implemented. A distinction must be made between production backups (e.g., restoring specific data) and contingency backups (e.g., recovery on external systems following major incidents). -
Sensitive Data Protection
Sensitive data must be identified and classified based on their sensitivity level. This classification should be regularly reviewed, and appropriate protective measures (e.g., access control, encryption) applied during storage, processing, or exchange. -
Personal Data
Processing of personal data must comply with GDPR. Any required notifications or authorisations must be handled through the Data Protection Officer (DPO). Personal data, being sensitive, must be safeguarded as per GDPR requirements. -
Encryption
Encryption is mandatory for the storage and exchange of sensitive data.
Securing the Information System
Server Administration
Server administration is handled by the company’s DevOps team.
Workstation Administration
Individual workstation administration is also managed by the DevOps team, except in justified cases where users handle their administration due to specific needs and expertise.
Workstation and Mobile Device Security
Workstations and mobile devices must be secured by robust passwords, which are personal and confidential. Users are responsible for ensuring that security applications (antivirus, OS, and software updates) are functioning properly and reporting any issues to the security correspondent. Special measures must be taken for mobile devices used outside their secure zone (e.g., encryption, theft protection).
Access Control
Access to the information system requires user identification/authentication and authorisation checks. Authentication should, where possible, utilise the Potions directory. Permissions must be carefully defined, granting only necessary privileges. All access must be logged. Shared or anonymous accounts are to be exceptions and must be justified.
Application Security
Security must be considered at every stage of an IT project. Applications, whether internal or external, must align with the sensitivity of the data they process or exchange.
Network Security
Information systems must be protected from external threats through access filters applied to network gateways. Servers must be specifically safeguarded from workstations and other servers. For external server access, encrypted connections (e.g., SSH tunnels) must be used.
Maintaining Security Standards
Technical measures must ensure the ongoing security of hardware and software through updates, patches, and monitoring of vulnerabilities. Security logs must be analysed regularly to verify system security.
Incident Management
All information system users, including administrators, must report any incidents, real or suspected, to the ISS chain and hierarchical authorities. This includes theft of IT equipment or data storage devices.